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Visibly pushdown automata (VPA), introduced by Alur and Madhusuan in 2004, is a subclass of 
pushdown automata whose stack behavior is completely determined by the input symbol according 
to a fixed partition of the input alphabet. Since its introduce, VPAs have been shown to be useful in 
various context, e.g., as specification formalism for verification and as automaton model for process- 
ing XML streams. Due to high complexity, however, implementation of formal verification based 
on VPA framework is a challenge. In this paper we consider the problem of implementing VPA- 
based model checking algorithms. For doing so, we first present an improvement on upper bound for 
determinization of VPA. Next, we propose simple on-the-fly algorithms to check universality and in- 
clusion problems of this automata class. Then, we implement the proposed algorithms in a prototype 
tool. Finally, we conduct experiments on randomly generated VPAs. The experimental results show 
that the proposed algorithms are considerably faster than the standard ones. 



1 Introduction 

Visibly pushdown automata fTj are pushdown automata whose stack behavior (i.e. whether to execute 
a push, a pop, or no stack operation) is completely determined by the input symbol according to a 
fixed partition of the input alphabet. As shown in [1], this class of visibly pushdown automata enjoys 
many good properties similar to those of the class of finite automata. The main reason for this being 
that is, each nondeterministic VPA can be transformed into an equivalent deterministic one. Therefore, 
checking context-free properties of pushdown models is feasible as long as the calls and returns are 
made visible. As a result, visibly pushdown automata have turned out to be useful in various context, 
e.g. as specification formalism for verification and synthesis problem for pushdown systems If3l l4l ITTTl. 
as automaton model for processing XML streams iPTOl l9ll. and as AOP protocols for component-based 
systems 1121 1151 . 

As each nondeterministic VPA can be determinized, all problems that concern the accepted languages 
such as universality and inclusion problems are decidable. To check universality for a nondeterminis- 
tic VPA M over its alphabet £ (that is, to check if L(M) = £*), the standard method is first to make it 
complete, determinize it, complement it, and then checks for emptiness. To check the inclusion prob- 
lem L(M) C L(N), the standard method computes the complement of N, takes its intersection with M 
and then, check for emptiness. This is costly as computing the complement necessitates a full deter- 
minization. This explosion is in some sense unavoidable, because determinization for VPAs requires 
exponential time blowup (TJ. Therefore, one of the questions raised is that whether one can implement 
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efficiently operations like determinization as well as decision procedures like universality ( or. inclusion) 
checking for VPAs. 

During the recent years, a new approach called antichain method has been proposed to imple- 
ment efficiently operations like universality or inclusion checking on nondeterministic word or tree au- 
tomata fl4l l6l. Unfortunately, the antichain technique cannot be directly used for checking universality 
and inclusion of VPA. This is because the set of configurations of a VPA is infinite and thus, computing 
the set of antichains may not terminate. In this paper, we focus on the problem of checking universality 
and inclusion for VPAs. We make the following contributions towards to this overall goal. 

• First, we present an improvement on upper bound for determinization of VPA. In Alur and 
Madhusudan showed that any nondeterministic VPA with n states can be translated into a deter- 
ministic one with at most 2" + " states. Here, we show that this upper bound can be made tighter. 
More precisely, we optimize Alur-Madhusudan's determinization procedure, and show that any 

2 

nondeterministic VPA with n states can be transformed into a deterministic one with at most 2" 
states. 

• Second, we apply the standard method to check universality and inclusion problems for nondeter- 
ministic VPA. This method includes two main steps: determinization and reachability checking for 
non-accepting configurations. For determinization, we use the Alur-Madhusudan's procedure CQ. 
For reachability checking, we apply the symbolic technique ^-automata 0[H to compute the sets 
of all reachable configurations of a VPA. 

• Third, we present an on-the-fly method to check universality of VPA. The idea is very simple 
that we perform determinization and reachability checking by ^-automaton simultaneously. For 
checking universality of nondeterministic VPA M, we first create the initial state of the deter- 
minized VPA M d and, initiate a ^-automaton A to represent the initial configuration of M d . Sec- 
ond, construct new transitions departing from the initial states, and update the ^-automaton A. 
Then, the determinized VPA M d is updated using new states and transitions of A (which corre- 
spond to pairs of the states and topmost stack symbols of M d ), and so on. When a non-accepting 
state is added to A, we stop and report that M is not universal. 

• Fourth, we also propose a new algorithmic solution to inclusion checking for VPAs using on- 
the-fly manner. Again, no explicit determinization is performed. To solve the language-inclusion 
problem for nondeterministic VPAs, L(M) C L(N), the main idea is to find at least one word w 
accepted by M but not accepted by N, i.e., w £ L{M) \ L(N). 

• Finally, we have implemented all algorithms in a prototype tool (written in Java 1.5) and tested 
them in a series of experiments. Although the standard methods (as well as on-the-fly ones) have 
the same worst case complexity, our preliminary experiments on randomly generated visibly push- 
down automata show a significant improvement of on-the-fly methods compared to the standard 
ones. 

The remainder of this paper is organized as follows. In Section|2]we recall notions and properties of 
VPAs, and then we give an improvement on determinization of VPAs. Section|3]presents new algorithms 
for checking universality and inclusion of VPAs. Implementation as well as experimental results are 
presented and analyzed in Section |4] Section [5] discusses about related works. Finally, we conclude the 
paper in Section [6] 
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2 Visibly Pushdown Automata 
2.1 Definitions 

In this section we briefly recall the notions and properties of visibly pushdown automata. Readers are 
referred to the seminal paper [ 1] for their more details. 

Let E be the finite input alphabet, and let E = E c U E r U E; be a partition of E. The intuition behind 
the partition is: E c is the finite set of call (push) symbols, E r is the finite set of return (pop) symbols, and 
E; is the finite set of internal symbols. Visibly pushdown automata are formally defined as follows: 

Definition 1 A visibly pushdown automaton (VPA) M over Lis a tuple (Q, Qo,T, A,F) where Q is a finite 
set of states, Qq QQis a set of initial states, F QQis a set of final states, T is a finite stack alphabet with 
a special symbol _L ( representing the bottom-of-stack), and A = A f UA r U A,- is the transition relation, 
where A c C Q x E c x Q x (T\ {_!_}), A r Q Q x E r x T x Q, and A; C Q x E ; - x Q. 

If (q,c,q',y) £ A where c£l f and y ^ _L, there is a push-transition from q on input c where 
on reading c, y is pushed onto the stack and the control changes from state q to q'; we denote such a 

transition by q ► q'. Similarly, if (q,r,y,q), there is a pop-transition from q on input r where / is 

read from the top of the stack and popped (if the top of the stack is _L, then it is read but not popped), 

and the control state changes from q toq'; we denote such a transition q > q' . If (q,i,q) G A,, there 

is an internal-transition from q on input i where on reading i, the state changes from q to q'; we denote 
such a transition by q — > q' . Note that there are no stack operations on internal transitions. 

We write 5? for the set of stacks {w_L | w G (F\ {_L})*}. A configuration is a pair (q, a) of q G Q 
and a G St. The transition function of a VPA can be used to define how the configuration of the machine 
changes in a single step: we say (q, a) —> (q', a') if one of the following conditions holds: 

d I -\-y 

• If a G E c then there exists y G T such that q * q' and a' = /• a 

• If a G E r , then there exists y G T such that q * q' and either a = y • a', or y = _L and a = a' = _L 

• If a G E,-, then q q' and a = a'. 

A (qo,wo)-run on a word u = a\---a n is a sequence of configurations (#0)Wo) {q\,w\)--- -4 
(^n,w„), and is denoted by (<70;Wo) (^,w„). A word u is accepted by M if there is a run (#o>wo) 
(^„,w n ) with go G <2o> wo =-L, and q n G 2f. The language L(M) is the set of words accepted by M. The 
language L C E* is a visibly pushdown language (VPL) if there exists a VPA M with L = L(M). 

Definition 2 A VPA M is deterministic if \Qq\ = 1 and for every configuration (q,a) and a G E, there 
are at most one transition from (q,(f) by a. For deterministic VPAs (DVPAs) we denote the transition 
relation by 8 instead of A, and write: 

1. 8(q,a) =(q',Y) instead of (q, a, q' ,y) G A if a G E c , 

2. 8(q,a, y) = q' instead of(q,a, y,q') G A if a G E r , a?i<i 
J. 8(q,a) = q' instead of {q, a, q') G A if a G E,-. 
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2.2 Determinization 

As shown in HI, any nondeterministic VPA can be transformed into an equivalent deterministic one. 
The key idea of the determinization procedure is to do subset construction, but postponing handling push 
transitions. The push transitions are stored into the stack and simulated at the time of matching pop 
transitions. The construction has two components: a set of summary edges S, that keeps track of what 
state transitions are possible from a push transition to the corresponding pop transition, and a set of path 
edges R, that keeps track of all possible state reached from initial states. For completeness, let us briefly 
recall the original determinization procedure [ Q as below. 

Let M = (<2,r, <2o, A,F) be a nondeterministic VPA. We construct an equivalent deterministic VPA 
M' = {Q! ',P ',Q' Q ,A ',F') as follows: g' = 2^2 x 2 Q , Q> = {{Id Q ,Q Q )} where Id Q = {{q,q) \ q G Q}, 
F' = {{S,R) | RDF ^ 0}, r = Q' x E c , and the transition relation A = AJUAJ.UAJ. is given by: 

• Internal: For every a G £,-, (S,R) A (S',R') G A\ where S' = {(q,q') \ 3q" G Q : (q,q") G S,q" A 
q' G A,}, and R' = {q' \ 3q G R : q ^* q' G A,}. 

• Push: For every a G E c , {S,R) al+{S ^ a \ (Id Q ,R') G A^ where R' = {q' | 3q G R : q ^> q' G A c }. 

• Pop: For every a G E r , 

- if the stack is empty : (S,R) ^-^ (S',R') G A' r where S' = {(q,q') \ 3q" G Q : G 
S,q" <?' G A r } and R 1 = {q' \ 3q G R : <? ^> <?' G A r }. 

- otherwise: (S,R) a/ -^- R '^\ ( S ",R") G A' r , where 

| 3q £ R' : (q, q') G Update } 
{(^r,^') | 3<? 3 G g : (^,^3) € S',(q 3 ,q') G Update} 
{ 3q 1 eQ,q 2 eR:{qi,q2)£S, | 
[ <? >q\eA c ,q 2 >q£A r ) 

Theorem 1 (H] Theorem 2]) Let M be a VPA. The VPA M' is deterministic and L(M') = L(M). More- 
over, if M has n states, one can construct M with at most 2" + " states and with stack alphabet of size 
\L c \-2 n2+n . 

Example 1 We illustrate the original determinization procedure by an example in Figure^ 



( R" 

S" 

U pdate 



2.3 An Improvement on Complexity for Determinization 

During implementation of VPAs operations, we found that the set of summaries 5 in the determinization 
may contain unnecessary pairs in the sense that these pairs do not keep information of reachable states. 
In other words, for any state (S,R) of the determinized VPA, F^S) does not always equal to R in 
which YI2 is the projection on the second component. In the following, we present an optimization for 
determinization by keeping the set of summaries as few as possible. This simple observation, however, 
leads to a tighter bound for determinization. 
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a/ + A1 


«0,0),(1,1»,{0,1} 









A1 =({(0,0), (1,1)}, {0}), a 
A2 = ({(0,0), (1,1)}, {0,1}), 
A3 = «(1.0),(1,1».{»,a 
A4 = ({(0,0),(1,1 )},{}), a 



bl - A1 , b/ - A2 



a) A nondeterministic VPA M 



b) A part of determinized VPA M' 



Figure 1 : An example for determinization of VPA 
2.3.1 Optimize 5-Component 

We first optimize Alur-Madhusudan's determinization of VPA by minimizing the set of summaries S. 
Given a finite set X, let us denote Idx = {(<?,<?) | q G X}. 

Let M = (Q,T, Qo,A,F) be a nondeterministic VPA. We construct an equivalent deterministic VPA 
M d = (e / ,r / ,e / ,A / ,F / ) as follows: 2' = 22x2 x 22, Q' Q = {(Id Qo ,Q )} where F' = {(S,R) \ RDF ^ 0}, 
r' = Q' x E c , and the transition relation A' = A- U A' c U A' r is given by: 

• Internal: For every a G (S,R) A (S',R') G A\ where S' = {(q,q') \ 3q" G Q : G 5,?" A 
<7 ; G A,} and R' = {q' \ 3q £ R : q q' £ A,} 

• Push: For every a G I c , (S,R) al+(SM ' a \ (Id R ,,R') G A' c where R' = {q' \ 3q G R : <? ^> <?' G A c } 



Pop: For every a G E r , 
:he stack is 



- if the stack is empty : (S,R) ^—^ (S',R') G A' r where S' = {(q,q') \ 3q" G Q : {q,q") G 



q' G A r } and = {q' \ 3q G R : <? ^— ^ <?' G A r }. 



otherwise: (S,R) (5 ''* V) > (S",R") G A' r , where 



( R „ 

S" 

U pdate 



{q'\ 3q G R' : (<?, <?') G t/ pdafe } 
{(q,q') \3q 3 £Q: (q,q 3 ) G S',(q 3 ,q') G Update} 
3q 1 ,q 2 eQ:(qi,q2)£S, ) 



(q,q') 



a '/+r _ * o/-r / ^ * 
> #1 G A c ,g 2 ► q G A r 
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Remark 1 The main differences of our construction with the original one are: {I) we initiate the initial 
state as (Mg ,<2o) instead of (Wg,2o); and (2) after reading a push symbol, the automaton will enter 
the state (Id R /,R') instead of (IdQ,R'). 

Lemma 1 For a given nondeterministic VPA M, let M be the deterministic VPA constructed from M as 
above. Then, 112(5) = Rfor any state (S,R) ofM d , where II 2 is the projection on the second component. 

Proof 1 Since states of M d are generated on-the-fly manner, we prove the lemma by induction on the 
length of input words. Let w be an input word. 

1. If\w\ = 0, the lemma holds because Q' = (Wg ,<2o) andYl2(IdQ ) = <2o- 

2. If \w\ = 1, then w = a£l. Consider three cases of a: 

• If a G Based on the construction of transitions, we have (Wg ,<2o) — * (S,R) G A- where 
S = {(q,q r ) I 3q" G Qo : (q,q) G Id Qo ,q q' G A,-} and R = {q' \ 3q G Q : q ^ q' G A,}. ft 
w easy fo vmjfy that YI2 (5) = /?. 

• ft~a G Z c : 77ie proof is trivial. 

• Ifa£ Z r : 5/race 5tac& now « empty, the proof is similar to the case of internal symbols. 

3. If\w\=2, assume that w = a\a2- The proof is trivial for the cases: a\ G E,-U E c A «2 G E; U Z c ; a 1 G 

A a2 G E r . Wfe now check the last case: a\ G S c A ^2 G E r . A/iter reading a\, the current state of 
M d is (S,R) (with 112(5) =Rby the induction assumption) and the stack content is (IdQ Q ,Qo,ai )-L. 

, a/— (Wg ,Qo. a i) 
Ora reading 02, a transition of M is created: (S,R) ► (S ,R ) £ A r where R = 

{q' I 3g g g () : G Update}, 5' = {(q,q') \ 3q £ Q : (q,q) G IdQ ,(q,q') G Update}, and 

U pdate = {(q,q r ) \ 3qi,q2 G 2 : {qi,qi) £ S,q '^ +7 > gi G A c ,g2 ^ 7 > 0' G A r }. ft is easy to see 
in this case that 112(5') = R' = Tl2(U pdate). 

4. Now, let us assume that the lemma holds with \w\ = n. Without loss of generality, we suppose that 
w = w\a\W2a.2 ■■■wi c where in w\ every call is matched by a return, but there may be unmatched 
returns; Wj (i = 2---k) are well-matched words, and a, ( i = 1 • • • k) are calls. After reading w, M d 
will have its stack (S k -\,R k -\,a k -i) ■ ■ ■ (5i,/?i,ai)-L and its control state will be (S k ,R k ). By the 
assumption, we have 112 (5t) = Rh Assume that M d read an input symbol a k . There are three cases 
ofa k : 

• If a^ G E,-: The automaton will go to the control state (S',R'). Similar to the proof for the 
case \w\ = 1, we get 112(5') = R'. 

• If a k G E c : The proof is trivial. 

• Ifa k E £ r : The automaton changes control state to (S',R') and pops the stack symbol 
(S k - U Rk-l,a k -i). Namely, (S k ,R k ) a ^ s ^-^\ {s > ^ £ ^ 

R' = {q'\ 3q G R k -i : (q,q') G U pdate } 

5' = {(<?,<?') I 3q,q 3 G Q : (q,q 3 ) G S k -i,(q 3 ,q') G Update} 

3qi,q2 G Q : (01,02) G 5*, | 



U pdate = < (q,q') 



ai/+7 r * a ^l-y 1 , a 

9 ► <7i g A c ,<? 2 ► q G A r 



5mce ri2(5yt-i) = /ffc-i, we obtain that 112(5') = R '. The lemma is proved. 
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2.3.2 Remove /^-Component 

As can be seen in the previous section, the component S in a state of M" d satisfies the condition Il2(S) = 
R. Therefore, we can further optimize this determinization procedure by using the second component of 
the summary S as the set of reachable states. 

Let M = (<2,r, <2o, A,F) be a nondeterministic VPA. We construct an equivalent deterministic VPA 
M od = (Q^r,Q' ,A',F') as follows: Q' = 2 QxQ , Q' Q = Id Qo where F' = {S \ U 2 {S) DF + 0}, V = 
Q' x E c , and the transition relation A' = A- U A' c U A' r is given by: 

• Internal: For every a £ £,-, where S' = {(<?,<?') | 3q" £ Q : (9,9") £ S,q" A q' £ A,-}. 

• Push: For every a £ E c , S al+(S ' a \ ld R , £ A' c where R' = {q 1 \ 3q £ U 2 (S) : q ^> q' £ A c }. 



Pop: For every a £ E r , 

if the st; 

q' € A r } 



- if the stack is empty : S — ^ S' £ A' r where S' = {(q,q') \ 3q" £ Q : (q,q") £ S,q" ^—^ 



- otherwise: S — — — > S" £ A' where 



f S" = {(q,q') \3q 3 £Q: (q,qj) £ S',(q 3 ,q') £ Update} 

3qi,q2 £ Q '■ (qi,qi) £ S, ) 



U pdate = < (q,q') 



a '/+r _ * a/-r i _ * 
> 9i G A c , 92 > 9 £ A r 



The next theorem immediately follows from the above construction. 

Theorem 2 For a given nondeterministic VPA M of n states. One can construct a deterministic VPA 
M od such that L{M od ) = L(M). Moreover, the number of states and stack symbols ofM od in the worst 
case are 2" and \L C \ ■ 2 , respectively. 

Example 2 We illustrate the optimized procedure by determinizing non deterministic VPA M in Fig- 
ure [7] The result of this optimized determinization is given in Figure [2] We can see that the size of the 
determinized VPA is reduced. 

Remark 2 We should mention a fact that the model of nested words was proposed in [21 for represen- 
tation of data with both a linear ordering and a hierarchically nested matching of items. Recall that 
the input word of VPA has an implicit nesting structure defined by matching occurrences of symbols in 
£ c with symbols in E r . In nested words, this nesting is given explicitly, and thus they defined finite- state 
acceptors ( with out stacks) for nested words, so-called nested word automata. One can interpret a nested 
word automaton as a visibly pushdown automaton over classical words. As shown in [2 ], a nondetermin- 
istic nested word automaton with n states can be translated into a deterministic nested word automaton 

2 

with at most 2 n states. In this paper, we show that the direct determinization of VPAs can be made 
tighter. As stack-based implementation is the most natural way in modeling recursive programs, we hope 
that our simple improvement on determinization procedure of VPAs is still useful. 



3 Universality and Inclusion Checking 

According to visibility and determinizablity, the class of VPAs is closed under union and intersection, 
and complementation. Moreover, it has been shown that the universality and inclusion problems are 
EXPTIME-complete 0]. 
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{(0,0)},{0} 


a/ + A1 


{(0,0),(1,1)},{0,1) 










A1 = ({(0,0), (1,1)}, {0}), a 
A2 = ({(0,0), (1,1)}, {0,1}), a 





a) A nondeterministic VPA M 



b) A part of optimized VPA M 1 



Figure 2: An example for optimized determinization of VPA 



3.1 Emptiness Checking 

A pushdown system(see ||5J[7]|, for example) is pushdown automaton that is regardless of input symbols. 
Bouajjani et al. have introduced an efficient symbolic method to compute reachable configurations 
of a pushdown system (This method was extended for model checking LTL properties of pushdown 
systems by Esparza et al. Q [H). The key of their technique is to use a finite automaton so-called 
^-automaton to encode a set of infinite configurations of a pushdown system. It is easy to see that 
the ^-automaton technique can be used to solve emptiness problem for pushdown automata (or, visibly 
pushdown automata). To check the emptiness of a pushdown automaton M, the first step is to compute the 
set of its reachable configurations using ^-automata. Second, if there exists an accepting configurations, 
we conclude that the language of M is not empty. 

In the following, we adapt ^-automata technique to checking emptiness of visibly pushdown au- 
tomaton. Our definition, though in essence do not differ from the one in OlElIHl^ has been tailored so that 
concepts discussed in this paper are easily related to the definition. Given a VPA & = (£2,r, Qq,A,F), a 
^-automaton is used in order to represent sets of configurations C of A ^-automaton uses Y as the 
input alphabet, and Q as set of initial states. Formally, 

Definition 3 (^-automata) 1. A 3? -automaton of a VPA is a finite automaton A = (P, F, 8, Q,Fa) 
where P is the finite set of states, 8 C P xT x P is the set of transitions, Q is the set of initial states 
and Fa^P is the set of final states. 

2. A & -automaton accepts or recognizes a configuration (p,w) if p ^> q, for some p € Q, q € Fa- 
The set of configurations recognized by & '-automaton A is denoted by Conf{&). 

For a VPA 3? = (2,r, Qq,A,F) and the set of configurations C, let A be a ^-automaton represent- 
ing C. The ^-automaton A post * representing the set of configurations reachable from C (Post*(C)) is 
constructed as follows: We compute Post*(C) as a language accepted by a ^-automaton A post * with 
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a) A VPA M b) a P-automaton for Conf(M) 

Figure 3: An example of ^-automata 

£-moves. We denote the relation q(—*)*- —> •(—»)* ■ P by =^ 7 . Formally, A post * is obtained from A in 
two stages: 

• For each pair [q , y) such that & contains at least one rule of the form q ► q G A c , add a new 

state ptrftf) to A. 

• Add new transitions to A according to the following saturation rules: 

1. Internal: If q A G A,- and g p in the current automaton, add a transition (q' ,y,p). 

2. Push: If <7 ► q' G A c and g p in the current automaton, first add (q', J:P(q r ,Y))> and then 

add (p( q >.y } ,y,p). 

3. Pop: If q — — ^> q' G A,- and q p in the current automaton, add a transition (q' , E,p). 



Example 3 Let us revisit nondeterministic VPA M in Figure^ A automaton for the set of all reach- 
able configurations ofM is given in Figure^ 

3.2 Universality Checking 

In this section, we propose an on-the-fly method to solve the universality and inclusion problems for 
visibly pushdown automata. We first briefly recall the standard method in the next subsection. 

3.2.1 Standard Methods 

The standard algorithm for universality of VPA is to first determinize the automaton, and then check 
for the reachability of a non-accepting states. Reachable configurations of a determinized VPA can be 
computed by using ^-automata technique. A configuration c = (q, w) is said a rejecting configuration if 
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q is not a final location. Whenever a rejecting configuration is found, we stop and report that the original 
VPA is not universal. Otherwise, if all reachable configurations of determinized VPA are accepting 
configurations, the original VPA is universal. 

3.2.2 On-the-fly Methods 

To improve efficiency of checking, we perform simultaneously on-the-fly determinization and ^-automata 
construction. There are two interleaving phases in this approach. First, we determinize VPA M step by 
step (iterations). After each step of determinization, we update the ^-automaton. Then, using the 
^-automaton, we perform determinization again, and so on. It is crucial to note that this procedure 
terminates. This is because the size of the M" d is finite, and the ^-automaton construction is termi- 
nated. However, once a rejecting state is added to the ^-automaton, we stop and report that the VPA 
is not universal. Let Conf(M od ) and Rejecting-Conf(M od ) denote the sets of reachable and rejecting 
configurations of M" d , respectively. With the above observation, the following lemma holds: 

Lemma 2 Let M be a nondeterministic VPA. The automaton M is not universal iff there exists a rejecting 
reachable configuration ofM od , i.e., Conf(M od ) n Rejecting-Conf(M orf ) / 0. 

Therefore checking universality of M amounts to finding a rejecting configuration of M od . In Algo- 
rithm[T] we present an on-the-fly way to explore such rejecting configurations. 

Algorithm 1 On-the-fly algorithm 

Input: A nondeterministic VPAM = (Q,Qo,F,A,F) 
Result: Universality of M 

begin 

Create the initial state of the determinized VPA M od ; 

Initiate ^-automaton A to present the initial configuration of M od ; 

A post* < A', 

Create transitions of M" d departing from the initial state; 

while (the set of new transitions of M od is not empty) do 

Update the ^-automaton A post * using new transitions of M od ; 
if a rejecting state is added to A post * then 

return False; 
end if 

Update M od using new transitions of A post * ; 
end while 
return True; 
end 



Having said this, time complexity of the on-the-fly method is same as the complexity of the standard 
one. However, if the input VPA is not universal, the on-the-fly method is significantly faster. This is 
because the on-the-fly method does not need to perform full determinization, and thus it will immediately 
stop whenever a rejecting state is found. 

Example 4 We illustrate the on-thy-fly algorithm by an example given in Figure [4] We assume that 
a G r c , b G and c G £ r . The process of the algorithms is performed as below: 
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Stop + No 



Reachable Configurations 



Figure 4: Simulation for On-the-fly Method 

1. At the first time, assume that the initial state q\ of determinized VPA M od is created. 

2. Then, the 3? -automaton A is constructed which includes two states {qi,f} and one transition 

q\ — ► /, where f is a unique final state. & -automaton A represents a set of initial configurations 
{(q u ±)}ofM" d . 

3. Update M od using A. Suppose that M od has new states {q2,q3,q4}; and new transitions {qi ^ + ^> 



b c/-X , 
q 2 ,qi ->q3,qi ► q*\. 

4. Update ^-automaton A using new transitions of M" d . A has new states {q2,q3,q4,P(q u f)} and 
transitions {q 2 — > P{q x ,Y),P{q u y) — ► f,<l3 — ► f,q4 — ► /}■ 

5. Again, update M od using new transitions of A, and so on. 



3.3 Inclusion Checking 

Let A and B be two VPAs. We want to check whether L(A) C L(B). The standard method is to check 
whether L(A x B) = 0, where B is the complement of B. 

The on-the-fly approach tries to find if there exists at least a word w S L(A) \L(B). If such a word w 
was found, we can conclude that L(A) <£. L(B). Otherwise, L(A) is a subset of L(B). To do so, similar to 
the case of universality checking, we perform on-the-fly determinization for B and simultaneously 2?- 
automata construction for the product VPA A x B" d , where B ud is determinized counterpart of B. Once 
a state (p,q) £ (Fa x (Q B od\F B od) is added to the ^-automaton. There exists a word w such that, after 
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Table 1 : Universality checking for VPA generated by random 1 













number of states 










OM TUP PI V 
I nt-rLY 


c 

D 








40 


50 


60 


7A 

( u 


OA 

oU 


QA 

yu 


1UU 




50 




50 




50 


50 


50 


50 


SO 


SO 




total time 


23 


46 


52 


71 


110 


186 


210 


274 


247 


407 


686 


timeout number (60 s) 
































4 












number of states 










STANDARD 


5 


10 


20 


30 


40 


50 


60 


70 


80 


90 


100 


success 


21 


1 





























total time 


456 


31 





























timeout number (60 s) 


29 


49 


50 


50 


50 


50 


50 


50 


50 


50 


50 



reading w, A leads to an accepting configuration whereas B leads to a rejecting configuration. This 
means that there exists a word w G £(A) \L(B). In this case, we stop and report that L(A) ^ 

It is crucial to note that, if L(A) C L(B), the on-the-fly approach needs to fully determinize B, and this 
is similar to the standard approach. Therefore, in the worst case, the time complexity of the on-the-fly 
approach equals to that of the standard one. 

4 Implementation and Experiments 

We have implemented the above approaches for testing universality and inclusion of VPA in a prototype 
tool. The package is implemented in Java 1.5.0 on Windows XP. To compare the on-the-fly algorithm 
with the standard algorithm, we run our implementations on randomly generated VPAs. All tests are per- 
formed on a PC equipped with 1.50 GHz Intel® Core™ Duo Processor L2300 and 1.5 GB of memory. 

During experiments, we fix the size of the input alphabet to |£ c | = |Z r | = |E,-| = 2, and the size of the 
stack alphabet to \T\ = 3. We first set parameters of the tests as follows: 

\F\ k 

Definition 4 (random 1) The density of final states / = J^J = 1 and the density of transitions r = = 2, 
where k a is the number of transitions for each input symbol a. 

We ran our tests on randomly VPA generated by the parameter random 1 . We have tried VPAs sizes 
from 10 to 100. We generated 50 VPAs for each sample point, and setting timeout to 60 seconds. The 
experimental results are given in Table[T] We found that all successfully checked VPAs are not universal, 
and thus we omit the row for universal results in the table. The experiments shows that STANDARD can 
solve for generated VPA instances with 5 states only. It gets stuck when the number of states greater than 
or equal to 10. Meanwhile, ON-THE-FLY is significantly efficient than STANDARD, they can check for 
almost VPAs. 

The parameter random 1 does not guarantee the completeness of VPAs. Therefore, the probability 
of being universal is very low. In order to increase the probability of being universal, we set a new 
parameter as below: 

\f\ 

Definition 5 (random 2) The density of final states/ = jgj and the density of transitions r : QxL^ N; 
r(q,a) depends on not only the input symbol a but also on the state q. In particular, we select r(q,a) = 1 
for all q £ Q and a G £ c , r(q, b) = 6 for all q G Q and b G Z r , and r(q, c) = 2 for all q G Q and c G T,-. 
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Table 2: Universality checking for VPA generated by random 2, f = 0.6 
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Table 3: Checking inclusion with r(q,a) =2, f = 0.5 
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As can be seen, with random 2, a VPA with 10 states has 200 transitions. We again test for various 
sizes of VPAs from 5 to 50. We ran with 50 samples for each point, setting timeout to 180 seconds. The 
results are reported in Table [2] For this parameter, results of STANDARD are almost timeout even with 
only 5 states. ON-THE-FLY behaves in significantly better ways than those of STANDARD. 

We also performed experiments for inclusion checking L(A) C L(B). For this, we selected parameter 
random 2 for / = 0.5. We generated various sizes of A (10, 100, 200, 500, 1000, and 3000 states) and 
B (5 and 10 states). We ran with 20 samples for each point, setting timeout to 300 seconds. For this 
test, STANDARD does not work well, it get all timeout for the smallest size (10,5). Meanwhile, ON- 
THE-FLY behaves in a significant way. The detailed experimental results of ON-THE-FLY for inclusion 
checking are reported in Table [3] 

5 Related Work 

The model of nested words was proposed in [2] for representation of data with both a linear ordering 
and a hierarchically nested matching of items. Recall that the input word of VPA has an implicit nest- 
ing structure defined by matching occurrences of symbols in L c with symbols in L r . In nested words, 
this nesting is given explicitly, and thus they defined finite-state acceptors (with out stacks) for nested 
words, so-called nested word automata. One can interpret a nested word automaton as a visibly push- 
down automaton over classical words. As shown in Q, a nondeterministic nested word automaton with 
n states can be translated into a deterministic nested word automaton with at most 2" states. In this 
paper, we show that the direct determinization of VPAs can be made tighter. As stack-based implemen- 
tation is the most natural way in modeling recursive programs, we hope that our simple improvement on 



N. V. Tang 



75 



determinization procedure of VPAs is still useful. 

The first implementation of VPA, named VPAlib [j] only works for basic operations such as union, 
intersection, and determinization. In their implementation, however, determinization was performed in 
an exhaustive way. Namely, unreachable states and redundant transitions were also generated. Therefore 
their determinization easily gets stuck with VPAs of small size. We implemented our prototype tool upon 
the top of VPAlib. In particular, we first reused and improved data structures as well as basic operations 
of VPAlib. Next, we implemented determinization on-the-fly manner, in which only reachable states and 
necessary transitions were created. Then, we used ^-automata technique to check emptiness (as well 
as computing reachable configurations) of VPAs. Finally, we implemented the standard and on-the-fly 
methods to check universality and inclusion of VPAs. 



6 Conclusion 

In this paper we have shown that the upper bound for determinization of VPA can be made tighter. Our 
improvement comes from a simple observation that, in Alur-Madhusudan determinization procedure, the 
set of summaries S may contain unnecessary pairs in the sense that these pairs do not keep information of 
reachable states. We exploit this observation to present a new algorithm for determinization by keeping 
the second component of S always equal to R. This leads to an optimization of the determinization 
algorithm by using the second component of the summary edge S as the set of reachable states R and this 

2 

permits to construct a deterministic VPA with only 2" states. 

We also have presented on-the-fly algorithms for testing universality and inclusion of nondeterminis- 
tic VPAs. In summary, to check universality of a nondeterministic VPA M, the intuition behind on-the-fly 
manner is try to find whether there exists a word w such that w ^ L(M). Similarly, to check inclusion 
L{M) C L(N), the ideas behind is to find whether there exists at least a word w such that w £ L(M)\L(N). 
All algorithms has been implemented in a prototype tool. Although the ideas of the on-the-fly methods 
are simple, the experimental results showed that the proposed algorithms are considerably faster than the 
standard ones, especially for the cases universality / inclusion do not hold. 

Finally, we should emphasize that we need to improve our tool (as well as algorithms) to check larger 
examples. On the other hand, we also need to consider to apply the tool to case studies in practice. At the 
moment, the data structures for VPA are rather naive. That is why the running time of our tool is not fast. 
It would be interesting to explore a more compact data structure. For this, we plan to manipulate VPA 
using BDD-based representation. Despite these many limitations, however, we believe that this paper 
provides a first stepping-stone for developing a VPA-based model checker. 
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